Wednesday, January 27, 2010

iPad - missing the point

All the reviews for the Apple iPad seem to be positioning it as a Kindle competitor.

This is rather silly as the point of kindling is that you use it to start the fire. It is the first fuel to be consumed.

To understand where Amazon is going with Kindle people should look to the fact that there is already a Kindle viewer for the iPhone which according to the Apple site should work on the iPad unless Apple is silly enough to attempt to block it. There is also a Kindle reader for the PC and a reader for Mac is promised.

The point of the Kindle was to allow Amazon to build an early lead in the eBook market and to prevent Apple from dislodging it in the way that Apple has managed to dismantle the power of the record labels. Kindle has clearly met that objective.

The iPad is simply a logical extension of the Kindle concept that is optimized for video, games and pictures rather than a dedicate book reader.

Rather too much is also being made of Amazon's recent 'change' in their pricing policy. Under the old pricing policy the publisher got 30% of the recommended retail price which Amazon routinely discounted by a third. So the publisher would recommend a price of $15 which Amazon would discount to $10 and receive $4.50 per copy. Under the new scheme the publisher gets 70% of the sales price provided they agree to a recommended price of $2.99 to $9.99 that is at least 20% lower than the hardcover price and agrees to enable text-to-speech. So the royalty rates are actually rising from 45% to 70% and only if the publisher is also willing to take a considerable price cut. The net result is that it makes little sense for a publisher to charge more than $9.99 for a Kindle book unless they are going to charge a minimum of $23.33.

Amazon is still making a nice profit from Kindle sales, but their cost of sales is no longer negligible. Associate fees are 10% of Kindle sales and the costs associated with payment processing and running the Amazon site and brand are likely to take up another 10%. Kindle royalties might rise a little further in the future, but any rise is going to significantly cut into Amazon's profit.

Why charging illegal entry?

Someone asked me why O'Keefe has been charged with illegal entry rather than wiretapping.

The answer is that this is likely a holding charge. The prosecutors have all the evidence they need to win a conviction for attempting to gain entry to Federal property for the purpose of committing a crime. That alone carries a sentence of ten years. Burglary is the act of breaking and entering for a criminal purpose. The actual taking of property a separate offense: theft.

But the FBI and the prosecutors will almost certainly be adding additional charges before taking the case to a grand jury. They will also be looking to see if the group have attempted any other breakins and in particular the possibility that they might have succeeded.

What charges are likely? Well the Pellicano case is a fairly close comparison. Pellicano was eventually sentenced in December 2008 to 15 additional years in prison, and ordered (with two other defendants) to forfeit $2 million [Wikipedia].

Pellicano was engaged in his activities for several years and so he was charged with RICO Conspiracy. He also attempted to cover up his activities and so he was charged with witness tampering, false statements and destruction of evidence.

Of the Pellicano charges, the charge of Interception of Wire Communications does not apply on the basis of the facts set out in the indictment. It would apply if the conspirators had been allowed to actually place the wiretap and it was used to intercept a communication. But had that happened I would expect it to have been reported in the affidavit and charged as per the indictment. It may turn out that the conspirators intercepted other communications in which case they would be liable for either a one year or a five year sentence depending on the circumstances.

A count of Posession of an Electronic Communication Interception Device (18 USC 2512) seems likely, but that only has a sentence of five years.

According to the facts as we currently understand them, the activities of O'Kefee and his conspirators were nowhere near as extensive as those of Pellicano, nor did they succeed. But against that there is the fact that they attempted to bug the telephone of a United States Senator.

Another third rate burglary

The FBI Affidavit provides some very interesting information on what Democrats are now referring to as the 'Louisiana Watergate'. Conservative propagandist James O'Keefe and three accomplices were caught allegedly attempting to tap the phones of Senator Landrieu.

As the Senator's office is on Federal property, the holding charge of attempting to gain entry to Federal property for the purpose of committing a crime carries a maximum ten year jail sentence.

The affidavit itself reads like a bad script for an episode of the A-Team. Two members of the group dressed up as telephone repairmen and attempted to gain access to the telephone closet. They headed for the Senator's office, attempted pretexting and were directed to the GSA office down the hall where the plot was uncovered when the pair were asked for identification and claimed to have left it in their van.

Now it is quite possible that a GSA employee would have been trained to recognize a telephone company ID badge, but I don't know what one looks like and the typical security guard at a non-government facility wouldn't either. For a few hundred bucks the conspirators could have bought a second hand badge printer on EBay to create their own badges and greatly reduced the chance of getting caught.

Using fake ID reduces the risk of being caught but increases the penalties if caught. Possession of a fraudulent access device is a federal crime, as is possession of means to create fraudulent access devices. Using real identification greatly increases the risk of being caught, but some do so anyway.

So how does a facility protect itself against this type of attack?

At this point we do not know where the conspirators first aroused suspicion, it is quite likely that they were considered suspect from the minute they walked in the door. A well designed security process has multiple layers and multiple checks:

  • Check Government ID
  • Confirm Corporate ID
  • Check contact name
  • Confirm with contact
  • Escort visitor
  • Defined process

The first line of defense is to ask for government issued ID. With fifty states, there is considerable variation in driving licenses, but they are at least a closed set and a telephone repairman handing over a New York drivers license in Louisiana should be asked for an explanation. Most state driving licenses have anti-counterfeiting measures built in and are printed on distinctive stock.

Corporate ID provides an additional check but is not a substitute for government issued ID. Corporate ID should of course match the government ID.

My experience of government buildings is that government issued ID is required to enter the building. This alone would make the conspirator's claim that they left their ID in their van very suspicious.

Another thing that is required to enter a government building is a contact person. It is quite likely that the conspirators bypassed this requirement by giving the Senator's Office as the contact. 'Walk-ins' are a common occurrence at politician's offices of course, but a tradesman coming to perform work without a specific contact name should be a red flag.

In most government buildings, visitors require an escort unless they are visiting a separate area that is specifically designated as public access. Most of the newer corporate offices in Silicon Valley now have meeting rooms that connect directly to the lobby. This allows employees to meet visitors without bringing them into the part of the building where company confidential material might be on display.

Security procedures of this sort have become standard practice in most US companies in the wake of 9/11, at least with regard to the form which is easily copied. What is not easily copied are the less visible parts of the system such as what should happen when work needs to be done on the telephone system.

The most important security control is to have a defined procedure so that the person responsible for implementing it knows what to do. In the case of a GSA facility, there will be a written policy describing precisely which individuals should have access to the telephone system and under what circumstances. That process will anticipate the possibility that a bogus telephone repairman would turn up attempting to place a wiretap, not least because the process will have been extensively reviewed and quite possibly red-teamed by CIA teams responsible for attempting similar operations against foreign powers.

Tuesday, January 12, 2010

Crotchbomber changed return flight

Much is being made of the failure of the authorities to catch Farouk AbulMutalab aka the 'crotchbomber' despite suspicious activity such as flying on a one-way ticket.

Only according to the Nigerian press, Farouk's ticket
was a return and he even went so far as to change the routing on the return leg.